feat: initial implementation — pipeline, four tracks, web viewer, CI

[kanywst]

Summary

• Pipeline (scripts/awsdd/): collect (RSS + GitHub Releases) → normalize → score → report as a small shared Python package. Scoring is (freshness × 2) + (keyword × source_weight) + severity with word-bounded keyword matching, so generic fresh items only get the freshness baseline while topic-relevant keyword hits get amplified by source trust.
• Tracks: iam, security, whats-new, releases. Each is self-contained under tracks/<name>/ with config/sources.yaml, an identical Makefile (derives track name from CURDIR), and a track-local README. New tracks via make new-track NAME=<name> and are auto-picked-up by the root Makefile.
• Retention: normalize drops items with published_at older than 180 days from normalized.json, prune.sh keeps 30 days of raw and 60 days of daily reports. Weekly reports are kept indefinitely.
• Web (web/): Astro 6 + Tailwind v4 (postcss) + recharts island. Static output. Routes: /, /<track>/, /<track>/<mode>/<slug>/. Reads tracks/*/data/scored.json and tracks/*/reports/**/*.md at build time. Markdown is sanitized via isomorphic-dompurify.
• CI: ci.yml (lint / type-check / pytest / build), codeql.yml, audit.yml (pip-audit + npm audit + license report), daily-update.yml (06:00 UTC), weekly-digest.yml (Mon 08:00 UTC), deploy-pages.yml (push to main). Dependabot covers pip, npm, github-actions.
• MIT license.
• Seed data committed so the first Pages deploy has content before the first scheduled run lands.

What I verified locally

• All four tracks run make update end-to-end on a clean venv.
• make -C tracks/iam weekly produces reports/weekly/2026-W20.md.
• npm run build produces 10 static pages including dynamic /<track>/<mode>/<slug>/ routes; data loads, links render, no SSR warnings.
• All committed Markdown lints clean against the repo's .markdownlint-cli2.jsonc.
• pytest is green (40 tests, 79% coverage on scripts/awsdd/).
• ruff check + ruff format --check clean.

What I did NOT do

• Enable GitHub Pages on the repo. Settings → Pages → Source must be set to GitHub Actions for deploy-pages.yml to publish.
• Configure branch protection. PRs into main should be gated on ci.yml jobs (Settings → Branches → main).

Test plan

• Settings → Pages → Source = GitHub Actions, then re-run deploy-pages manually.
• Open the deployed home page and confirm: bento layout renders, top items list populated, ISO-week trend chart shows.
• Open /iam/, click into the latest daily/<date>, confirm the rendered Markdown matches tracks/iam/reports/daily/<date>.md.
• Wait for tomorrow's daily-update run; confirm a chore(<track>): daily update YYYY-MM-DD commit lands on main.
• Wait for Monday's weekly-digest run; confirm a chore(<track>): weekly digest YYYY-Www commit lands and a new weekly Markdown appears.

[coderabbitai]

Warning

Rate limit exceeded

@kanywst has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 35 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 862aba7d-4316-42ef-822c-b8338fcfbc2e

📥 Commits

Reviewing files that changed from the base of the PR and between 439ffe4 and 226ea9c.

📒 Files selected for processing (27)

• .github/workflows/daily-update.yml
• .github/workflows/deploy-pages.yml
• .github/workflows/weekly-digest.yml
• Makefile
• scripts/awsdd/_dates.py
• scripts/awsdd/collect_github.py
• scripts/awsdd/collect_rss.py
• scripts/awsdd/config.py
• scripts/awsdd/normalize.py
• scripts/awsdd/report.py
• scripts/awsdd/score.py
• scripts/new-deep-dive.sh
• scripts/new-track.sh
• tests/test_collect_github.py
• tests/test_collect_rss.py
• tests/test_normalize.py
• tests/test_report.py
• tests/test_score.py
• tracks/iam/data/scored.json
• tracks/iam/reports/daily/2026-05-17.md
• tracks/iam/reports/weekly/2026-W20.md
• tracks/releases/data/scored.json
• tracks/releases/reports/daily/2026-05-17.md
• tracks/security/data/scored.json
• tracks/whats-new/data/scored.json
• tracks/whats-new/reports/daily/2026-05-17.md
• web/src/lib/data.ts

📝 Walkthrough

Walkthrough

This PR introduces a complete AWS content aggregation and reporting platform. It implements a Python backend pipeline (RSS/GitHub collection, normalization, scoring) with four pre-configured tracks, multi-step GitHub Actions automation, and a static Astro web frontend. The system collects identity/auth, security, cloud news, and release information from configured sources, ranks by custom scoring logic, and publishes daily/weekly digests alongside an interactive dashboard.

Changes

Complete AWS Deepdive Platform

Layer / File(s)	Summary
Project Foundation README.md, LICENSE, .gitignore, pyproject.toml, requirements*.txt, .pre-commit-config.yaml, .markdownlint-cli2.jsonc	Project documentation, MIT License, configuration for linting/testing/dependencies, and git/editor ignore patterns.
Data Schema and Utilities scripts/awsdd/__init__.py, scripts/awsdd/schema.py, scripts/awsdd/_dates.py, scripts/awsdd/config.py	Item dataclass with source/content/scoring fields; SourceKind type; UTC-aware datetime parsing with epoch fallback; repository path and YAML config loading helpers.
Data Collection Pipeline scripts/awsdd/collect_rss.py, scripts/awsdd/collect_github.py	RSS feed ingestion with feedparser, HTML-to-text conversion (entity unescaping, script stripping), severity inference; GitHub API pagination with release filtering and link header following.
Data Processing Pipeline scripts/awsdd/normalize.py, scripts/awsdd/score.py, scripts/awsdd/report.py	Normalization deduplicates by ID with retention pruning; scoring computes freshness decay + keyword matching + source weighting + severity; report generation filters to windows, ranks, and formats Markdown.
Track Scaffolding and Orchestration Makefile, scripts/new-track.sh, scripts/new-deep-dive.sh, scripts/prune.sh, templates/deep-dive.md, templates/lab-report.md, templates/new-track/	Root Makefile orchestrating multi-track workflows; track template with Makefile and config stub; Bash scripts for creating new tracks/deep-dives with placeholder substitution; artifact pruning script.
Four Concrete Tracks tracks/iam/, tracks/security/, tracks/whats-new/, tracks/releases/	IAM, security, news, and release tracks with per-track Makefiles, README docs, YAML source configs (keywords, weights, RSS feeds, GitHub repos), sample raw/normalized/scored data, and generated daily/weekly reports.
GitHub Automation Workflows .github/dependabot.yml, .github/workflows/audit.yml, .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/daily-update.yml, .github/workflows/deploy-pages.yml, .github/workflows/weekly-digest.yml	Dependabot for dependencies; audit for vulnerability/license scanning; CI for linting/testing/builds; CodeQL for security analysis; daily/weekly track automation with retry logic; GitHub Pages deployment.
Testing Infrastructure tests/conftest.py, tests/fixtures/, tests/test_collect_*.py, tests/test_normalize.py, tests/test_score.py, tests/test_report.py, tests/test_pipeline.py	pytest fixtures for isolated filesystem testing; RSS/GitHub release fixtures; unit tests for collection, normalization, scoring, reporting; end-to-end pipeline smoke test.
Web Frontend Configuration web/astro.config.mjs, web/package.json, web/postcss.config.mjs, web/tsconfig.json, web/.gitignore	Astro static site builder with React integration and Shiki highlighting; npm dependencies (Astro, React, Tailwind, recharts, marked, DOMPurify); PostCSS with Tailwind; TypeScript strict mode.
Web Frontend Styling and Layout web/src/styles/global.css, web/src/layouts/Base.astro	Dark theme global CSS with Tailwind directives, typography, and Markdown prose customization; Base layout providing header navigation, slot content area, and footer attribution.
Web Frontend Components web/src/components/ItemRow.astro, web/src/components/TrackCard.astro, web/src/components/TrendChart.tsx	Reusable ItemRow component for item lists; TrackCard for track summaries with latest report; TrendChart React component for weekly volume area chart.
Web Frontend Data and Utilities web/src/lib/data.ts, web/src/lib/markdown.ts	TypeScript loaders for scored items, track filtering, markdown report reading, and weekly volume aggregation; Markdown-to-HTML conversion with GFM and sanitization.
Web Frontend Pages web/src/pages/index.astro, web/src/pages/[track]/index.astro, web/src/pages/[track]/[mode]/[slug].astro	Homepage with top-12 items and trend chart; per-track pages with reports and top items; dynamic report detail pages with breadcrumb navigation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

This PR introduces a substantial new system with multiple interconnected layers: Python data pipeline (collection, normalization, scoring), Bash/Make automation infrastructure, four fully-configured tracks with real data, eight GitHub Actions workflows, comprehensive test coverage, and a complete Astro web frontend. While many individual files are straightforward configuration or data files, the integration points (script entry points, data contracts, API pagination, scoring logic, route generation) demand careful review. The heterogeneity of Python, Bash, YAML, JavaScript, TypeScript, and Markdown changes across a broad scope, and the end-to-end flow from collection through rendering requires understanding the entire pipeline. Medium-to-high complexity overall due to logic density in collectors/scorers and the breadth of moving parts.

🐰 A deepdive into data flows so grand,
RSS feeds and GitHub at hand,
Scored and sorted with care,
Reports that are rare,
A dashboard to learn AWS's land! 🌟

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/initial-scaffold

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[kanywst]

/gemini review

[kanywst]

/gemini review

[gemini-code-assist]

Code Review

This pull request initializes the aws-deepdive project, an automated system for collecting, scoring, and reporting AWS identity and security updates. The implementation features a Python-based data pipeline for RSS and GitHub release ingestion, a customizable scoring engine, and an Astro-powered web frontend for displaying daily and weekly digests. Additionally, the PR includes comprehensive test coverage, GitHub Actions workflows for automated updates, and scaffolding scripts for extending the project with new tracks. I have no feedback to provide.